CVE-2026-6476 PostgreSQL CVE debrief

Who should care

Database administrators managing PostgreSQL 17.x or 18.x installations; security teams responsible for database infrastructure; organizations using logical replication with subscription creation capabilities; compliance officers tracking privilege escalation vulnerabilities in database systems

Technical summary

The pg_createsubscriber function in PostgreSQL contains a SQL injection vulnerability that allows attackers with pg_create_subscription rights to inject and execute arbitrary SQL statements. When pg_createsubscriber is next invoked, the injected SQL executes with superuser privileges, granting complete control over the database instance. The vulnerability stems from improper input sanitization within the function's SQL construction logic. Affected versions include PostgreSQL 17.0 through 17.9 and 18.0 through 18.3. The CVSS 3.1 base score of 7.2 reflects high impact (confidentiality, integrity, availability) balanced against high privilege requirements for exploitation.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade PostgreSQL to version 17.10 or later for version 17.x installations, or version 18.4 or later for version 18.x installations
• Audit database user accounts and revoke pg_create_subscription privileges from non-essential accounts pending patch deployment
• Monitor database logs for anomalous pg_createsubscriber execution patterns and unexpected superuser-level operations
• Review and restrict network access to PostgreSQL instances to authorized administrative hosts only
• Verify backup integrity and ensure recovery procedures are tested before applying updates in production environments

Evidence notes

Vulnerability confirmed through NVD analysis with vendor advisory from PostgreSQL. CVSS 3.1 vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. CWE-89 (SQL Injection) classification provided by vendor reference.

Official resources